[PATCH] media: cpia2: Fix integer overflow in mmap handling
From: Takashi Iwai
Date: Wed Jan 08 2020 - 11:16:24 EST
The offset and size checks in cpia2_regmap_buffer() may ignore the
integer overflow and allow local users to obtain the access to the
kernel physical pages.
Fix it by modifying the check more carefully; the size value is
already checked beforehand and guaranteed to be smaller than
cam->frame_size*num_frames, so it's safe to subtract in the right
hand side.
This covers CVE-2019-18675.
Cc: <stable@xxxxxxxxxxxxxxx>
Signed-off-by: Takashi Iwai <tiwai@xxxxxxx>
---
I'm submitting this since there hasn't been any action seen for this
bug over a month. Let me know if there is already a fix. Thanks.
drivers/media/usb/cpia2/cpia2_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/media/usb/cpia2/cpia2_core.c b/drivers/media/usb/cpia2/cpia2_core.c
index 20c50c2d042e..26ae7a5e3783 100644
--- a/drivers/media/usb/cpia2/cpia2_core.c
+++ b/drivers/media/usb/cpia2/cpia2_core.c
@@ -2401,7 +2401,7 @@ int cpia2_remap_buffer(struct camera_data *cam, struct vm_area_struct *vma)
if (size > cam->frame_size*cam->num_frames ||
(start_offset % cam->frame_size) != 0 ||
- (start_offset+size > cam->frame_size*cam->num_frames))
+ (start_offset > cam->frame_size*cam->num_frames - size))
return -EINVAL;
pos = ((unsigned long) (cam->frame_buffer)) + start_offset;
--
2.16.4